nwfilter: serialize execution of scripts with ebtables cmds

While testing the SIGHUP handling and reloading of the nwfilter driver, I found that when the filters are rebuilt and mutlipe threads handled the individual interfaces, concurrently running multiple external bash scripts causes strange failures even though the executed ebtables commands are working on different tables for different interfaces. I cannot say for sure where the concurrency problems are caused, but introducing this lock definitely helps.

src/nwfilter/nwfilter_ebiptables_driver.c

@@ -104,6 +104,7 @@ static int ebiptablesDriverInit(void);
 static void ebiptablesDriverShutdown(void);
 static int ebtablesCleanAll(const char *ifname);
 
+static virMutex execCLIMutex;
 
 struct ushort_map {
     unsigned short attr;
@@ -2309,8 +2310,13 @@ ebiptablesExecCLI(virBufferPtr buf,
         return 1;
 
     argv[0] = filename;
+
+    virMutexLock(&execCLIMutex);
+
     rc = virRun(argv, status);
 
+    virMutexUnlock(&execCLIMutex);
+
     *status >>= 8;
 
     VIR_DEBUG("rc = %d, status = %d",rc, *status);
@@ -3163,8 +3169,9 @@ tear_down_tmpebchains:
     ebiptablesExecCLI(&buf, &cli_status);
 
     virNWFilterReportError(VIR_ERR_BUILD_FIREWALL,
-                           "%s",
+                           _("Some rules could not be created for "
-                           _("Some rules could not be created."));
+                             "interface %s."),
+                           ifname);
 
     return 1;
 }
@@ -3364,6 +3371,9 @@ ebiptablesDriverInit(void)
     virBuffer buf = VIR_BUFFER_INITIALIZER;
     int cli_status;
 
+    if (virMutexInit(&execCLIMutex))
+        return EINVAL;
+
     bash_cmd_path = virFindFileInPath("bash");
     gawk_cmd_path = virFindFileInPath("gawk");
     grep_cmd_path = virFindFileInPath("grep");